2. Information Systems Management COMP 1486
Acknowledgement
Firstly, we would like to express the special words of gratitude to IT Governance Institute for
publishing the case studies concerned with IT Governance and allowing everyone to reuse or to apply in
making his/her own research. We could reference and use IT governance case study of Sun Microsystems
for our ISM coursework because of their allowance. Moreover, we would like to present our genuine
appreciation to our supervisor, Daw Moe Pale, for her priceless and expert guidelines and we also thank
all people who helped us to accomplish this coursework but left to mention here.
2
3. Information Systems Management COMP 1486
Executive Summary
Recently, the concept of IT governance has gradually grasped the attention of both private
organizations and public organizations because it can control organization’s IT activities to reduce IT
related risks and costs. So, we will justify with Sun Microsystems to prove how IT governance can bring
many values to organizations.
Sun Microsystems is a leading provider of computer hardware, software and IT related services
with 30,000-plus staff. In 2000, Sun reduced its IT budget by 30 %. At the same time, Sun tried to comply
with SOX 404 regulations. Consequently, Sun implemented high level control framework COBIT
integrating with other IT governance frameworks such as ITIL, SOX compliance framework, etc to
manage its IT resources effectively.
IT governance is used for organization’s seven categories of controls: granting system access,
classifying data security, role-based duties segregation, data validation, event-driven authorizations, batch
processing and interfaces. To establish IT governance, Sun mapped its IT activities to COBIT’s 34 high-
level control activities.
To conclude, IT governance facilitated Sun to significantly define the accountability of
stakeholders to handle IT activities with its IT governance structure and Sun could comply with SOX
regulations due to IT governance processes. Moreover, overhead costs can be controlled because of KPIs,
KGIs and being able to reduce key risks more. According to the results of process assessment workshops,
Sun reached maturity level 2.5 in measuring its implemented IT governance. Thus, Sun is now planning
future-thinking activities to reach the maturity level higher than the current position so that Sun can live
in harmony with ever changing business world.
3
5. Information Systems Management COMP 1486
The Description of the Organization and the Market in which it Operates
(Word Count - 151)
Nowadays, many organizations appreciate the essence of IT governance and start applying this
concept to fulfil their business objectives in the competitive world. Among them, we want to demonstrate
Sun Microsystems as a model.
It was established in 1982 by embracing a remarkable vision, “The Network is the Computer” and
this boosts its market position as a foremost provider of Internet services, industrial-strength hardware
and software. So, products such as workstations, servers and IT services are available under this Inc.
According to employment statistics, 30,000-plus employees are working for branches of Sun sited in 100
countries. Being an international company, Sun’s IT department must support its wide community with 6
data centers with 1,700 servers, 600 applications and 600 terabytes of data. Moreover, Sun must handle 5
million e-mails and 4 million hits for internal web pages per day.
Hence, Sun determined to apply IT governance for controlling its IT resources.
5
6. Information Systems Management COMP 1486
A Description of the IT Governance Used (Word Count - 299)
Recently, IT governance has been a dominant factor for attaining business success from investing
in IT. Furthermore, Sarbanes-Oxley (SOX) Act makes arising IT governance issues for enhancing internal
controls on financial reporting. Consequently, IT governance frameworks were introduced to Sun.
Sun applied ITIL for managing IT services and Sigma for assuring quality. However, ITIL cannot
fully support IT governance. So, CIO realized that a common framework is needed to scrutiny Sun IT’s
alignment with company’s overall business strategy. Then, COBIT is selected for IT governance in
organization’s seven categories of controls: granting system access, classifying data security, role-based
duties segregation, data validation, event-driven authorizations, batch processing and interfaces.
To establish IT governance more effective, ITIL, Prince 2, SOX compliance framework, etc were
integrated with COBIT which embraces 34 high-level control objectives under four domains. As the
examples of IT governance used, we will explain how Sun mapped its IT processes to COBIT with the
last domain and who are liable for the processes with the first domain.
Monitor and Evaluate domain has 4 processes. Firstly, overall processes were monitored in
accordance with operational dashboard, customer metrics/survey. Next, Sun ensured that business needs
are satisfied by internal controls. Then, assurance of compliance with laws is obtained. Finally, Sun’s IT
functions were controlled by independent audit.
Besides, individual responsibilities must be assigned to execute Sun IT processes because
successful IT governance inevitably needs accountability for making decisions. For example, IT related
matters were processed by CTO and ITSTAR. ITGOV focused on budget, defining communication lines
and monitoring activities. ITSM managed quality metrics. But, potential risks were addressed by all
groups.
Finally, process assessment workshop was held to estimate maturity, key risks and costs to reduce
them, business benefits, performance indicators, goal indicators, etc. By these ways, sun implemented IT
governance successfully.
http://en.wikipedia.org/wiki/Corporate_governance_of_information_technology
6
7. Information Systems Management COMP 1486
A Summary of the Case Study (Word Count - 300)
Sun Microsystems established in 1982 is a leading provider of computer hardware, software and
IT related services with 30,000-plus staff. In 2004, Sun tried to comply with Sarbanes-Oxley 404 for
corporate transparency. Moreover, enhancing business value by the use of IT led Sun to apply IT
governance frameworks.
Firstly, ITIL framework and other process improvement methods were used for governing Sun’s
IT functions. Later, CIO recommended COBIT for more positive impacts on IT governance. Some IT
staff were against to implement COBIT because resources were stretched thin. But, they accepted COBIT
which embraces 34 high-level control objectives under four domains since it enables cross-process
integration with SOX, ITIL, PRINCE 2, etc.
IT governance was applied for Sun’s seven categories of controls. Sun systematically framed its
IT governance with well-defined roles and responsibilities for their IT processes. To do this, processes
were mapped to COBIT framework prior mapping them with process owners (IT governance committee,
other groups). Moreover, process assessment workshop was held for identifying gaps and assuring IT
governance was well established.
According to workshop, Sun only reached maturity level 2.5 for overall IT governance
processes. Since key risks of not closing with gap were only 1.28, cost for reducing them was low and
ease to implement them was easy. Likewise, highest business benefits can be gained because of having
low risks and it was rated as 9. Performance and goal indicators were assessed based on overhead
costs. Besides, maturity level for each process was shown in a radar-style chart and costs vs. benefits on
four-quadrant chart to let the audience see clearly.
To maintain momentum for IT governance, Sun will plan future-thinking activities such as giving
more COBIT presentations to staff, demonstrating links between COBIT and Sun’s already adopted
methods and discussing with process owners to fit with COBIT.
7
8. Information Systems Management COMP 1486
A critical Analysis of the Impact of the IT Governance on the Organization
(Word Count - 750)
IT governance is essential for organizations because it can add value to business by addressing
tactical alignment between business and IT, measuring IT performance and controlling IT risks. Since IT
governance has a great impact on organizations, they need to evaluate whether implemented IT
governance is effective. Generally, this evaluation is processed by considering IT governance
framework used, implemented IT governance structure, processes and its outcome metrics.
Therefore, we will analyze the impact of IT governance on Sun Microsystems based on these facts.
Nowadays, organizations with high awareness of IT governance issues enhance their IT
governance by combining two or more frameworks. Likewise, Sun implemented COBIT as high level
control framework and used ITIL, PRINCE 2, SOX framework, etc at COBIT’s appropriate stages to
meet business requirements more. Moreover, as COBIT can integrate with other frameworks, resources
already used for them will not be a waste in the resource-constrained environment.
Therefore, we can say that Sun's tailor-made IT governance framework have good impact on Sun
because it provides guidelines to systematically manage Sun’s IT resources. Furthermore, Sun will be
able to comply with Sarbanes-Oxley regulations more than ever because a high level framework can
create strong relationships with external and internal auditors through clearly described Sun's IT
activities.
http://www.pwc.com/en_mt/mt/publications/assets/it-governance-in-practice-jan-2007.pdf
IT governance structure can be categorized as centralized, decentralized and federal based on
organizational structure. As Sun IT organization transformed into centralized approach from distributed
one, we can infer that Sun applied centralized IT governance structure.
8
9. Information Systems Management COMP 1486
In analyzing its IT governance structure, we observed that Sun demonstrated the transparent
accountability of its major governing bodies. For example, Sun assigned ITGOV for monitoring activities
and budget, ITSTAR for advising all IT related matters and ITSM for managing quality metrics.
By considering these facts, it is obvious that Sun could standardize its IT functions and control
costs because of centralized IT governance structure and advantages such as ability to make decisions
quickly and eliminating redundant functions were gained because of transparent accountability and
managing by people in top management, i.e. CIO, ITGOV.
http://www.acc.ncku.edu.tw/chinese/faculty/shulc/courses/cas/articles/Bowen-enhancing-IT-
goverance.pdf
http://ifipwg82.org/sites/ifipwg82.org/files/Ch12-19-IT%20Governance%20Practices%20in%20SME-
formatted.pdf
In analyzing Sun’s IT governance processes, we observed that Sun implemented its IT
governance processes by mapping its IT processes to 34 high-level control activities of COBIT concerned
with planning and organizing to achieve business and IT objectives, acquiring and implementing IT
governance processes, delivering and supporting the required services, and monitoring IT performance.
Furthermore, these governance processes were defined by the most senior Sun’s IT executives to assure
coverage of all processes. Thus, we can conclude that Sun could generically express what IT governance
processes were implemented and this will have great impact on showing organizational internal controls
for IT activities.
For IT governance to be successful, organizations must monitor their IT performance according
to their defined metrics. Similarly, we noticed that metrics dealing with evaluating benefits vs. costs/risks
were used to criticize Sun’s IT governance. By analyzing the result of process assessment workshop in
our case study, we can infer that Sun could reduce its IT risks.
9
10. Information Systems Management COMP 1486
Since Sun could address key risks more and put key controls in place after implementing IT
governance, Sun gained high business benefits for its prioritized functions. Besides, Sun measured
whether their business requirements were achieved by IT processes and how well these processes were
performing based on its annual overhead costs. Therefore, we think that Sun could easily control its
overhead costs because of these key goal indicators (KGIs) and key performance indicators (KPIs).
To summarize, IT governance has a great impact on Sun to get business success. The most
obvious advantage is increasing possibility of complying with SOX regulations. Moreover, critical
success factors: optimizing Sun’s IT operations, bridging gaps between business and IT, becoming
accountability of stakeholders prominent and eliminating redundant functions were achieved. Besides,
overhead costs and IT risks were reduced because of defined KGIs and KPIs.
According to the declaration of Sun, administration costs were reduced and it reached breakeven
point within 4 months. Although Sun obtained many returns on investment, it was only at maturity stage
of 2.5 because there was only awareness for IT governance in Sun and IT governance activities were only
under development at that time. Furthermore, Sun’s IT governance framework was developed while all IT
staff were not fully familiar with it. However, Sun is now training its staff to understand more about IT
governance concepts and to reach higher maturity stage. If Sun can successfully perform these future-
thinking activities, we strongly believe that many happy returns will be brought to Sun.
http://www.technologyexecutivesclub.com/PDFs/ArticlePDFS/sungov.pdf
Overall Ideas for A critical Analysis of the Impact of the IT Governance on the Organization Session
are Referenced from below Resources
http://en.wikipedia.org/wiki/Corporate_governance_of_information_technology
http://www.itgi.org/template_ITGIa166.html?Section=About_IT_Governance1&Template=/ContentMan
agement/HTMLDisplay.cfm&ContentID=19657
http://www.itgi.org/template_ITGI9bfe.html?Section=Purpose&Template=/ContentManagement/HTML
Display.cfm&ContentID=19659
10
11. Information Systems Management COMP 1486
References
Book References
Book Name : Business Information Systems 3rd Edition
Author Name : Paul Bocij, Dave Chaffey, Andrew Greasley & Simon Hickie,
ISBN : 0273688146 Publisher : CPI – Bath Press, UK
Book Name : COBIT 3rd Edition Executive Summary
Author Name : COBIT Steering Committee and IT Governance Institute
ISBN : 1-893209-15-6
Web References
IT Governance Case Study
URL :
http://www.itgi.org/Template_ITGIf8a4.html?Section=ITGI&CONTENTID=57322&TEMPLATE=/Content
Management/ContentDisplay.cfm
Access Date : 10th September 2012
Description of the IT Governance Used
URL : http://en.wikipedia.org/wiki/Corporate_governance_of_information_technology
Access Date : 15th September 2012
A critical Analysis of the Impact of the IT Governance on the Organization
URL : http://en.wikipedia.org/wiki/Corporate_governance_of_information_technology
http://en.wikipedia.org/wiki/Corporate_governance_of_information_technology
http://www.itgi.org/template_ITGIa166.html?Section=About_IT_Governance1&Template=/ContentManagem
ent/HTMLDisplay.cfm&ContentID=19657
http://www.itgi.org/template_ITGI9bfe.html?Section=Purpose&Template=/ContentManagement/HTMLDispl
ay.cfm&ContentID=19659
http://www.pwc.com/en_mt/mt/publications/assets/it-governance-in-practice-jan-2007.pdf
http://www.acc.ncku.edu.tw/chinese/faculty/shulc/courses/cas/articles/Bowen-enhancing-IT-goverance.pdf
http://ifipwg82.org/sites/ifipwg82.org/files/Ch12-19-IT%20Governance%20Practices%20in%20SME-
formatted.pdf, http://www.technologyexecutivesclub.com/PDFs/ArticlePDFS/sungov.pdf
Access Date : 15th September 2012
11
12. Information Systems Management COMP 1486
Bibliography
Andrew Greasley, Paul Bocij, Dave Chaffey, Simon Hickie. (2006). Business Information
Systems (3rd Edition ed.). (A. Greasley, Ed.) England: CPI - Bath Press, UK.
COBIT Steering Committee and IT Governance Institue. Executive Summary. In COBIT 3rd
Edition.
12